24 August 2019

The C2 of Cyberspace is a Mess!

By Lieutenant Commander Mark G. Hofer II, U.S. Navy

Cyberspace continues to grab headlines, and regardless of what some senior leaders believe, the Navy and the Department of Defense (DoD) are not structured for the cyber fight. Wars in cyberspace will not be won by a latter day Achilles fighting a modern Ajax. Wars will be won or lost by organizations, and U.S. organizational problems start with the most basic: No one understands of the command-and-control of cyberspace forces. 

For example, if the Commander, U.S. Central Command, wants to take an action in cyberspace, where does he turn? The annoying truth is, it depends. For offensive actions he should turn to Joint Force Headquarters-Cyber (JFHQ-C)(Army). For defensive actions, he should turn to JFHQ-DoD Information Network (DoDIN), although he could turn to JFHQ-C (Army) and have them try to answer using their “Regional Coordinating Authority for Cyberspace Operations” hat. If that same defensive action needs to be taken on supervisory control and data acquisition (SCADA) systems for a pipeline on a Navy base, Commander, Navy Installations Command owns it, the Defense Logistics Agency runs it, and Fleet Cyber Command will defend it.


In another example, last year the DoD chief information officer took the power to authorize the networks of all agency institutions of higher learning. That means that Commander, U.S. Fleet Cyber Command, no longer gets to decide if the Naval Postgraduate School (NPS) is operating its network at an acceptable level of risk. However, if it were discovered tomorrow that a peer competitor was inside the NPS network, the DoD chief information officer is not going to respond; everyone will be looking to Fleet Cyber Command to respond, including its commander. The person accepting the risk (DoD Chief information officer) is not the person dealing with the consequences of that risk (Fleet Cyber Command), who is not the one responsible for daily operation of the network (NPS). This is a recipe for failure.

More recently, commands have followed the Navy’s push to do more on the cloud. This practice usually means paying someone else to host an organization’s data and run the servers. This move has resulted in the illusion of security, but in reality has outsourced mitigation, remediation, and incident response actions. 

Any C2 chart in the cyberspace realm is so convoluted that even the most experienced commanders can be forgiven for getting it wrong. The fact that several new terms had to be invented to stitch it together are evidence of the problem. That most of these terms are poorly defined makes matters worse. Few organizations take cybersecurity seriously until they have a major incident on their network, and the incentives are aligned to keep it that way.

These problems stem from tough decisions that the department has spent decades avoiding. To solve cyberspace C2, questions such as “Who really owns the network?” “Who do we hold accountable?” and “Are authority and accountability properly aligned?” need to be answered.

No comments: